In addition to the problems mentioned in the video, note that there is a problem to exposing too many passwords to a user which relates to passwords being system codes, there is more on that on MeatballWiki.

This is much worse because everything is centralized, so keeping different accounts still pay off. But yeah, its harder to manage.

@edgecrush3r se 17:30-18:30 in the video for the sollution for this question.

I still not convinced about IDP spoofing, at all...

1. User visits a malicious RP page containing what looks like a regular OpenID login form.

2. User enters OpenID URL

3. Malicious RP redirects user to another page that looks like the user's OP (call this Fake-OP) using a proxy to load/modify the content.

4. Fake-OP asks user for password

User not noticing the difference from his usual OP, enters his password

5. Fake-OP now has user's password.

Meh! Get roboform!

I enjoyed the talk alot but i didnt like how he kinda kept avoiding interesting security issues with OpenID just by saying that the issues are already here. its not about whether or not openid is just as vulnerable as using ur email address across the internet and stuff. Its about what openid should do to combat this vulnerability. the whole "forgot my password" scam shouldnt be equivalent to openid, at least to me...

This is a great talk, and I had the same reaction to the phishing/credential stealing problem. He did sidestep around the actual problem, however, I realized a solution to this:

One Time Passwords. If your openID provider is hacked, they should only have the information required to authenticate you, not the secret information you have yourself. Look into technologies such as Yubico's Yubikey. Also, I'd hope any password auth provider would only store one-way hashes, not the pass itself.

I would really like it too. Maybe trough gmail.